Encrypt a WorkSpace

Amazon WorkSpaces is integrated with the AWS Key Management Service (AWS KMS). This
enables you to encrypt storage
volumes of WorkSpaces using customer master keys (CMK). When you launch a WorkSpace,
you have the option to encrypt the root volume (C: drive) and the user volume (D:
drive). This ensures that the data stored at rest, disk I/O to the volume, and snapshots
created from the volumes are all encrypted.

Prerequisites

You need a AWS KMS CMK before you can begin the encryption process.

The first time you launch a WorkSpace from the Amazon WorkSpaces console in a region,
a
default CMK is created for you automatically. You can select this key to encrypt the
user and root volumes of your WorkSpace.

Alternately, you can select a CMK that you created using AWS KMS. For more
information about creating keys, see Creating Keys in the AWS Key Management Service Developer Guide. For more
information about creating keys using the AWS KMS API, see Working With Keys in the
AWS Key Management Service Developer Guide.

You must meet the following requirements to use a AWS KMS CMK to encrypt your WorkSpaces:

Select the volumes to encrypt: Root Volume, User
Volume, or both volumes.

For Encryption Key, choose your AWS KMS CMK.

Choose Next Step.

Choose Launch WorkSpaces.

Viewing Encrypted WorkSpaces

To see which WorkSpaces and volumes have been encrypted from the Amazon WorkSpaces
console,
choose WorkSpaces from the navigation bar on the left. The
Volume Encryption column shows whether each WorkSpace has
encryption enabled or disabled. To see which specific volumes have been encrypted,
expand the WorkSpace entry to see the Encrypted Volumes
field.

IAM Permissions and Roles for Encryption

Amazon WorkSpaces encryption privileges require limited AWS KMS access on a given
key for the
IAM user who launches encrypted WorkSpaces. The following is a sample key policy
that can be used. This policy enables you to separate the principals that can manage
the AWS KMS CMK from those that can use it. The account ID and IAM user name must
be
modified to match your account.

The first statement matches the default AWS KMS key policy. The second and third
statements define which AWS principals can manage and use the key, respectively. The
fourth statement enables AWS services that are integrated with AWS KMS to use the
key
on behalf of the specified principal. This statement enables AWS services to create
and manage grants. The condition uses a context key that is set only for AWS KMS calls
made by AWS services on behalf of the customers.

The IAM policy for a user or role that is encrypting a WorkSpace should include
usage permissions on the CMK, as well as access to WorkSpaces. The following is a
sample policy that can be attached to an IAM user to grant them WorkSpaces
privileges.